Plan administrative tasks in a least-privilege environment (SharePoint Server 2010)
Applies to: SharePoint Server 2010, SharePoint Foundation 2010
This article describes how to configure and maintain a Microsoft SharePoint Server 2010 farm by using least-privileged administration.
The concept of least-privileged administration assigns users the minimum permissions that are required for users to complete authorized tasks. The goal of least-privileged administration is to configure and help maintain secure control of an environment. The result is that each service is granted access to only the resources that are absolutely necessary. Implementing least-privileged administration can result in increased operational costs because additional resources might be required to maintain this level of administration. Moreover, the ability to troubleshoot security problems can also be diminished.
|Organizations implement least-privileged administration to achieve better security than would be typically recommended. Only a small percentage of organizations require this heightened level of security because of the resource costs of maintaining least-privileged administration. However, some deployments that might require this heightened level of security include governmental agencies, security organizations, and organizations in the financial services industry. The implementation of a least-privileged environment should not be confused with best practices. In a least-privileged environment, administrators implement best practices together with additional heightened levels of security is performed.
Least-privileged environment for accounts and services
To plan for least-privileged administration, you must consider several accounts, roles, and services. Some apply to SQL Server and some apply to SharePoint 2010 Products. As administrators lock down additional accounts and services, daily operational costs are likely to increase.
Microsoft SQL Server roles
In a least-privileged administration environment, we recommend that you remove the following two SQL Server server-level roles from accounts that are not SharePoint service accounts, but are used for SharePoint administration:
dbcreator- Members of the dbcreator fixed server role can create, alter, drop, and restore any database.
securityadmin- Members of the securityadmin fixed server role manage logins and their properties. They can GRANT, DENY, and REVOKE server-level permissions. They can also GRANT, DENY, and REVOKE database-level permissions if they have access to a database. Additionally, they can reset passwords for SQL Server logins.
Security Note The ability to grant access to the Database Engine and to configure user permissions allows the security admin to assign most server permissions. The securityadmin role should be treated as equal to the sysadmin role.
The removal of one or more of these SQL Server roles might cause “Unexpected” error messages that will be displayed in the Central Administration Web site. In addition, you may receive the following message in the Unified Logging Service (ULS) log file:
System.Data.SqlClient.SqlException… <operation type> permission denied in database <database>. Table <table>
Along with an error message that may be displayed, the user may be unable to perform any of the following tasks:
Restore a backup of a farm due to the inability to write to a database
Provision a service instance or Web application
Configure managed accounts
Change managed accounts for Web applications
Any database, managed account, or services operation that requires the use of the Central Administration Web site
In certain situations, database administrators (DBAs) may want to operate independently from SharePoint administrators and create and manage all the databases. For information about how DBAs create and manage all databases, see Deploy by using DBA-created databases (SharePoint Server 2010).
SharePoint Server 2010 roles and services
In general, the ability to create new databases should be removed from SharePoint service accounts. No SharePoint service account should have the sysadmin role on the Microsoft SQL Serverinstance and no SharePoint service account should be a local Administrator on the server that runs Microsoft SQL Server.
However, you could lock down several other SharePoint Server 2010 services and accounts:
When this Microsoft SQL Server role is removed, the ability to write entries to the configuration and content database is removed. For additional information about this role, see Add-SPShellAdmin.
SharePoint Timer service (SPTimerV4)
By default, this service is installed and maintains configuration cache information. If the service type is set to disabled the following behavior may occur:
No timer jobs will run
Health analyzer rules will not run
Maintenance and farm configuration will be out of date
SharePoint Administration service (SPAdminV4)
This service performs automated changes that require local administrator permission on the server. When the service is not running, you must manually process server-level administrative changes. If the service type is set to disabled, the following behavior may occur:
Administrative timer jobs will not run
Web configuration files will not be updated
Security and local groups will not be updated
Registry values and keys will not be written
Services may be unable to be started or restarted
Provisioning of services may be unable to be completed
This service lets a site collection administrator upload sandboxed solutions to the Solutions gallery. For additional information about sandboxed solutions, see Sandboxed solutions overview (SharePoint Server 2010).
Claims To Windows Token service (C2WTS)
By default, this service is disabled. The C2WTS service may be required for deployment in which external data sources are accessed. For more information about C2WTS, see Identity delegation for Excel Services (SharePoint Server 2010), Identity delegation for Business Connectivity Services (SharePoint Server 2010), Identity delegation for SQL Server Reporting Services (SharePoint Server 2010), and How to reset the Claims to Windows Token Service account (SharePoint Server 2010).
For more information services, see SharePoint Administration service is disabled (SharePoint 2010 Products).
Depending on an organization's business requirements, if any SharePoint Server 2010 services or roles are implemented, the behavior to the following features may occur:
Backup and restore
The ability to perform a restore from a backup may fail if database permissions have been removed.
The upgrade process will start correctly, but then fail as you do not have suitable permissions to databases. If your organization is already in a least-privileged environment, the workaround is move to a best practices environment to complete the upgrade, and then move back to a least-privileged environment.
The ability to apply a software update to a farm will succeed for the schema of the configuration database, but fail on the content database and services.
Additional requirements to consider
In addition to the preceding considerations, you might have to consider more operations. The following list is not complete. Selectively use the items at your own discretion:
Setup user administrator account- This account is used to set up each server in a farm. The account must be a member of the Administrators group on each server in the Microsoft SharePoint Server 2010 farm. For additional information about this account, see Administrative accounts
Synchronization account- This account is used to connect to the directory service. For additional information, see User profile properties and profile synchronization planning worksheets (https://go.microsoft.com/fwlink/p/?LinkID=225640)
User Profile Replication Engine - This tool is part of the SharePoint Administrator Toolkit (SPAT). It lets an administrator of a User Profile Service application replicate user profiles and social data, between User Profile Service applications. Examples of user profiles or social data include social tags, notes, and ratings. For additional information about the User Profile Replication Engine tool, see User Profile Replication Engine overview (SharePoint Server 2010)
My Site host application pool account- This is the account under which the My Site application pool runs. To configure this account, you need to be a member in the Farms Administrators group.
Built-in user group- Removing the built-in user security group or changing the permissions may have unanticipated consequences.
Group permissions-By default the WSS_ADMIN_WPG SharePoint group has read and write access to local resources. The following WSS_ADMIN_WPG file system locations, %WINDIR%\System32\drivers\etc\HOSTS and %WINDIR%\Tasks are needed for Microsoft SharePoint Server to work properly. If other services or applications are running on a server, you may consider how they access the Tasks or HOSTS folder locations. For additional information about account settings, see Account permissions and security settings (SharePoint Server 2010)
Change permission of a service- A change of a permission of a service may have unanticipated consequences. For example, if the following registry key, HKLM\System\CurrentControlSet\Services\PerfProc\Performance\Disable Performance Counters, has the value of 0, the User Code Host service would be disabled which would cause sandboxed solutions to stop working. For additional information about the User Code service not working, see The SharePoint 2010 User Code Host service fails to start (https://go.microsoft.com/fwlink/p/?LinkId=225642)